Windows Server 2012 AD VM-Generation ID functionality is not…

…an alias for Active Directory anti-USN Rollback functionality. I heard that today and I wanted to spit on my monitor.

…a statement from Microsoft that you can’t hurt yourself when virtualizing DCs. I have heard this implied multiple times in the last few months; primarily from Microsoft Consulting folks who aren’t actually supporting any systems, just selling solutions.

Yes people, USN rollback is STILL absolutely possible with VM-Generation ID (vmgenid) functionality fully engaged and properly configured. You are only protected in very limited set of very certain very specific circumstances.. Specifically reverting a snapshot on a vmgenid aware virtualization platform or when you use the export settings feature of a vmgenid aware virtualization platform. Any other type of activity with the VHD files and you better be dead sure that the functionality works such as file copies, file restores, SAN/NAS functions, etc. I will make it simple, it probably doesn’t work like you think because Microsoft didn’t try to account for every possible stupid thing people might consider doing or accidently do when in the heat of battle.

So outside of the two things they protect you from, there are other actions that can put you into a USN Rollback situation and are not protected against with Windows Server 2012 AD. I can list several actions off the top of my head that are not protected and they aren’t a stretch that someone would try to use them.

Repeat after me… Windows Server 2012 AD makes it "safer" to virtualize, that is a far cry from a cart blanche statement that virtualizing Domain Controllers is "safe"[1] under Windows Server 2012… And yes I have heard of people, including Microsoft Consultants make that very mistaken statement… "Virtualizing Domain Controllers is now safe under Windows Server 2012" when what they really meant if someone was smart enough to press them is the actual statement that "Virtualizing Domain Controllers is now safeR under Windows Server 2012.".

So to make this simple.

Yes, you absolutely can shoot yourself in the foot with AD on physical DCs. It can also be insecure.

Virtualization made the dangerous and insecure scenarios possible on physical DCs easier and, IMO, way more feasible to occur in the real world.

Windows Server 2012 AD makes it a little less easy and less likely to occur if you are the type that likes hitting EXPORT SETTINGS or REVERT SNAPSHOT. Otherwise it is the same level of danger as every other version of AD.

So if you have a bug under your bonnet to virtualize a Domain Controller, you still need to think very long and hard about it and making sure you are willing to spend the extra money to build the proper fully redundant infrastructure that you automatically get with having multiple physical DCs and that you are willing to support it in such a way that you don’t hurt yourself in any of the many ways that become more feasible with virtualized DCs. With Windows Server 2012 AD Microsoft,thankfully, moved one of the knives a little further out of reach, they didn’t make your skin invincible.

Note I am not saying that virtualizing DCs can’t be done properly. It absolutely can. I have seen and heard of companies who have been doing it for many years. I even actually recommended it once for a very specific use case… Once. As a general rule though, most every design I have seen has had significant shortcomings in the area of redundancy. One of the most common being all virtual guest VHDs living on a single NAS/SAN that everyone seems to think can’t fail. Listen people, I have been in Enterprise Level Data Center situations where a SAN blew out for a couple of days and no virtual machines were able to run because no one could get to their virtual disk files – happened twice in a single week at one company in fact. How well would you do if all of the DCs in one of your core corporate Data Centers were hard down and people still needed to authenticate?

Overall, in my experience over the last decade+, most companies are more worried about costs than doing things properly and those companies should stick with physical DCs because cost cutting doesn’t fit in with the idea of virtualizing Domain Controllers. I would love to say it would always be safe and good, it would make life simpler for most Domain Admins.

joe

P.S. I have driven my Mustang GT well over 130MPH on several occasions with no ill effects. It doesn’t mean the next time I won’t splatter myself all over the highway no matter how careful I am about it. I won’t do it with someone else in the car or in an area where I can endanger someone else, I only have the right to endanger myself. Similarly, I will often, well usually, recommend against virtualization of Domain Controllers for most companies.

UPDATE: Note if it wasn’t clear or you weren’t aware, the vmgenid "triggers" are dependent upon the virtualization platform. Different platforms could have different triggers meaning you could have various levels of protection from different actions on various platforms, this is key information to understand when architecting your solutions. You need to know when you are protected and when you aren’t protected and how.

[1] "safe" as defined as if you fall it doesn’t matter, we have a nice bed of feathers for you to fall in and can’t possibly hurt yourself.

You can also make this same argument for any software that has enterprise wide impact. Don’t rely on your NAS/SAN for all your DBs/exchange/SharePoint/etc. I’ve been at one organization which did go all virtual on DCs. I’ve been at several where the majority of DCs are virtual. There is way too much money spent on redundancy and COOP sites after 9/11 so in my case almost no federal agency will have a single point of failure.